X-Git-Url: https://git.openstreetmap.org./chef.git/blobdiff_plain/2e17bd4b4697423f9c124cfdb802424a58c16d80..6fc82870d529dc755748bc1fb613bd179fd9851b:/cookbooks/networking/resources/firewall_rule.rb

diff --git a/cookbooks/networking/resources/firewall_rule.rb b/cookbooks/networking/resources/firewall_rule.rb
index 4cda0486b..7d7d45b7a 100644
--- a/cookbooks/networking/resources/firewall_rule.rb
+++ b/cookbooks/networking/resources/firewall_rule.rb
@@ -75,7 +75,9 @@ action_class do
     if new_resource.connection_limit
       set = "connlimit-#{new_resource.rule}-#{ip}"
 
-      node.default[:networking][:firewall][:sets] << set
+      node.default[:networking][:firewall][:sets] << {
+        :name => set, :type => set_type(ip), :flags => %w[dynamic]
+      }
 
       rule << "add @#{set} { #{ip} saddr ct count #{new_resource.connection_limit} }"
     end
@@ -85,7 +87,9 @@ action_class do
       rate = Regexp.last_match(1)
       burst = Regexp.last_match(2)
 
-      node.default[:networking][:firewall][:sets] << set
+      node.default[:networking][:firewall][:sets] << {
+        :name => set, :type => set_type(ip), :flags => %w[dynamic], :timeout => 120
+      }
 
       rule << "update @#{set} { #{ip} saddr limit rate #{rate}/second burst #{burst} packets }"
     end
@@ -134,4 +138,11 @@ action_class do
       "{ #{Array(addresses).map(&:to_s).join(', ')} }"
     end
   end
+
+  def set_type(ip)
+    case ip
+    when "ip" then "ipv4_addr"
+    when "ip6" then "ipv6_addr"
+    end
+  end
 end